Sunday, May 6, 2012

Chain-Link Confidentiality: A HIPAA-Like Approach To Online Privacy

Frederic Lardinois
May 5, 2012
As we put more of our private information online and entrust it to web services, privacy breaches become almost inevitable. One major problem with online privacy is that there is really no enforceable chain of confidentiality. So when a third-party service makes your information available to another party, things can get complicated. A new paper by Samford University law professor Woodrow Harzog argues that traditional privacy laws aren’t the best ways to protect private information online. Instead, he suggests an approach that’s more like the U.S. HIPAA rules that currently govern how private health information can be shared between your health provider and third parties. The system he proposes would be based on established principles in confidentiality and contract law.
Confidentiality law, says Harzog, typically only binds the first recipient of information. Online, that obviously isn’t enough to protect a user’s privacy and most scholars have argued that confidentiality law is simply not suited to deal with online privacy issues. Harzog, however, argues that a HIPAA-like “chain-link confidentiality” regime would be more effective in protecting users’ privacy than current regulations. This system would not just ensure confidentiality between the user and the first service where data is stored, but the obligation of confidentiality would also flow downstream. Under this regime, he writes, “Internet users could then pursue a remedy against anyone in the chain who either failed to abide by her obligation of confidentiality or failed to require confidentiality of a third-party recipient.”
Harzog argues that our current privacy regulations are “a patchwork of laws and remedies” and often in conflict with other laws and evolving technologies. It’s also often unclear how “privacy” is actually defined and what, for example, constitutes a “reasonable expectations of privacy.” In Harzog’s view, “traditional privacy remedies are inadequate in the digital age.”
Here is what chain-link confidentiality on the Internet would look like in practice: a website that collects your personal information (and that explicitly allow to share your information with other services) would also have to establish a confidentiality contract with any other company it discloses your information to – and those companies would be required to establish the same kind of contract with every subsequent recipient as well. These contracts, of course, could also simply prohibit any further dissemination of your personal information or limit it to certain companies or companies that fulfill certain security requirements. Every web service could, of course, also tweak this contract depending on its needs.
In a way, this isn’t all that different from the Creative Commons “Share Alike” provision: depending on the Creative Commons license used – artist can allow others to remix their work, for example, as long as it is then shared under the same license terms as the original work.
The chain-link confidentiality approach then would allow for the flow of information, says Harzog, ” by continually re-creating an environment for sharing that accommodates the sender, receiver, and the subject of the personal information.”
Even though this isn’t a cure-all – your information, after all, could still leak out or be scraped by others – it’s an interesting way of looking at privacy from a more contractual point of view, especially because it sets up a legal framework for sharing information between services.
For the more lawyerly and in-depth discussion of this, take a look at Harzog’s paper here.